Pages

5/21/2012

How to fix a messed up domain controller

Just get rid of it!
  • Disconnect the DC from the network
  • Run dcpromo /forceremoval
  • From 2003, use NTDSUTIL to do a "metadata cleanup" to clean the DC out of your AD.  (See below) If you have at least one Windows Server 2008 DC, then open Active Directory Users and Computers from a 2008 DC, find the bad DC, right-click and delete.
Metadata Cleanup using NTDSUTIL
MS Article 216498 explains how to forcibly remove a domain controller account from AD using NTDSUTIL.
http://support.microsoft.com/kb/216498
Time to Check Sysvol
Sysvol is a share you can find on every domain controller, a share that contains files needed by DCs -- the big ones are the file components of group policy objects (GPOs), pieces called "group policy templates" or GPTs, as well as login scripts. Sysvol is a neat, built-in implementation of DFS (Distributed File Services) that is multi-master, meaning that if you have four DCs named DC1, DC2, DC3 and DC4, then you can drop a file into any one of those four Sysvol folders, and eventually DFS will ensure that there's a copy of that file in each of the other three Sysvols. The fact that you can introduce a new file into the family of Sysvols is why it's said to be "multi-master." On 2003 SP3 and later, there's a command that lets you force replication between a source DC (DC3, in this example) and a destination DC (DC2, in this example) that looks like this:
ntfrsutl.exe forcerepl DC2 /r "Domain System Volume (SYSVOL share)" /p DC3
Check SYSVOL before upgrading
Go to a DC. In its Sysvol, create a file, such as [dcname].txt. After you have created a small text file on each DC whose name reflects the DC that you created it on. Wait a while and go to each DC and look in its Sysvol... there should be a file for each domain controller. If, for example, DC4's dc4.txt shows up nowhere, then DC4 probably has the problem. To fix it, run DCPROMO to demote it and, if the rest of the network doesn't see that you've demoted it, remove the DC's account from the Domain Controllers OU and remove its metadata. Once it is successfully removed, test again by creating another unique file in each DC's Sysvol and be sure everything is cool.

Thanks to:
http://www.minasi.com/newsletters/nws1205.htm

5/07/2012